Enabling Technologies to Detect/Deter Insider Threats

Adnan SheikhClaudio PaucarOsezua AvbuluimenBill Fekrat

Insider ThreatAgendaInsider Threat OverviewEnabling TechnologiesGovernance, Risk & ComplianceInsider Threat OverviewInsider threat: Employees, Customers, Partners or Suppliers

3Statistics and Recent Incidents

58% Information Security incidents attributed to insider threat. 75% of insiders stole material they were authorized to access and trade secrets were stolen in 52% of cases.54% used a network email, a remote network access channel or network file transfer to remove the stolen data. Most insider data theft was discovered by non-technical staff members. http://www.indefenseofdata.com, http://www.infosecurity-magazine.com

4Statistics and Recent Incidents

Former Fed supervisor succeeds in downloading about 70 of the 300 confidential computer files on his last day of work.Edward Snowden NSA Leak

5Average Cost Financial ServicesDetection or discoveryEscalationNotificationEx-post responseTurnover of existing customersDiminished customer acquisition =================================$500 * 10,000 customers = ($5M)

Evolution of Security ThreatsProtection: +Data Leak Protection (DLP),DRM, Personneldata, data objectinteraction, non-network dataDetection technique:Signature based + Network anomaly +Data mining, behavioralProtection: Network perimeterfirewalls, IDS, proxies, AntiVirus, DHCP, DNSDetection technique:Signature basedProtection: +Internal network, hostAntiVirus, OS, applicationlogs, email, net flowDetection technique: Signature based + Network anomalyInsider Threat the most costly and damaging7Security Framework

ORWithout a planned frameworkWith a planned frameworkAdnan, Bill where you at?msn, Cisco8Enterprise Security Architecture

https://www.ictstandard.org/article/2010-10-28/creating-enterprise-security-architecture9Enabling Technologies to Detect/Deter Insider ThreatsProtecting Service OperationsWhat is the threat?Employees downloading large amounts of sensitive data, potentially stockpiling before they leave the companyHow to address itEmploy SIEM (Security Information and Event Management) technology to analyze log files, then define and monitor for particular eventsAllows you to look for unusual patterns in data access and use, such as an employee extracting large amounts of data from internal systemsBenefitsReal-time and historical auditing of system access and data usageDrawbacksCommercial options more expensive to implementNeed to invest in time to learn the tools and understand your data to determine what systems and patterns you need to monitor

SIEM CapabilitiesScalable architecture and deployment flexibilityReal-time event data collectionEvent normalization and taxonomyReal-time monitoringBehavior profilingThreat intelligenceLog management and compliance reportingAnalyticsIncident management supportUser activity and data access monitoringApplication monitoringDeployment and support simplicitySIEM Vendors

SIEM Vendor AnalysisVendorStrengthsWeaknessesIBM QRadarBehavior analysisThreat analysisCompliance use casesCostHP ArcSightComprehensive solutionMore prebuilt adapaters for ERP, SaaS toolsMore prebuilt reports & dashboardsComplex to deploySplunkLog managementApplication monitoring Analytic capabilitiesCustomization capabilitiesComplex to configure and deploySIEM Cost: Splunk EnterpriseLicense cost: $1M perpetual license to analyze 1TB / dayAnnual support: $250,000Services & training: $75,000Total: $1.325M first yearRecommendationChoose Splunk Enterprise EditionSIEM provides the right functionality for log management and analysis so that we can monitor inside threats against critical informationMore cost-effective than other vendors consideredNeed to invest in dedicated resources to ensure we get greatest value from the technology and the best protection of our sensitive dataLeader in Gartners latest magic quadrantIdentity/Access Management SystemsDescriptionIdentity management systems manage the identity, authentication, and authorization of individual principals within or across system or enterprise boundaries.

MethodologyCentrally manage the provisioning and de-provisioning of identities, access and privilegesProvide personalized, role-based, online, on-demand presence-based services to users and their devicesEnsure use of a single identity for a given user across multiple systems

Identity/Access Management Systems

Oracle Identity Management SuiteLicense cost: $2.25M for 10000 employees installed on servers running up to four processorsAnnual Support: $500kServices and training: $100kTotal: $2.85M for first year Governance, Risk & Compliance.

GRC Landscape21

22Enterprise GRC Platforms

GRC Vendor AnalysisVendorStrengthsWeaknessesMetricStreamTop rated in content/risk and control management toolsFlexible collaboration features Customization capabilitiesStrong consulting services armNo Mobile interfaceBWiseRobust platformFlexible Risk & Control featuresStandalone control monitoring featuresLess support from consulting firms.Complex solution IBM OpenPagesStrong analytics featuresLeverages Cognos reporting capabilities with mobile featuresNot fully integrated with other productsRSA ArcherAcquired by EMC Easy to navigate interfaceRSA acquisitionCostRecommendationOut-of-the-box functionality: Pre-configured workflows and embedded reports provide a "plug and play" capability that reduces the time needed for implementation. Pre-loaded content: Pre-loaded industry regulations and libraries provide access to industry best practices. 2000 IT control statements to more than 400 regulations. Standard framework such as COBIT, ISO 27002 and ITIL for implementing best practices.Simple to use: Intuitive user interfaces and minimal clicks per functionality enable customers to quickly access information while also reducing the time required to train system users. GRC via Cloud: MetricStream's hosting model can be implemented quickly, and takes the pressure off banks who have limited resources to manage IT hardware and software. Flexible pricing: In addition to an on-premise solution, MetricStream also provides a subscription license model option that eliminates the need for up front capital expenditures. Scalability through an integrated platform: MetricStream solutions are built on an underlying GRC platform which allows customers to extend the solution from one functional area to another (e.g. risk management, internal audit, IT-GRC) without having to invest in expensive system integration initiatives.Choose MetricStream Enterprise Edition

MetricStream IT GRC Solution License cost: $500,000 perpetual licenseAnnual support: $100,000Services & training: $100,000Total: $700,000 first year

Thank You!Backup SlidesNetwork Segmentation and Device ConfigurationDescriptionStrategically employ firewalls, routers and switches to route and filter packets within and across zones in the the enterprise network

MethodologyEmploy stateful inspection of packets and application-aware firewalls Whitelist each connection (deny by default)Internal firewalls may be configured to protect portions of the network from each otherUse ACLs on routers and firewalls to provide a basic layer of security

Network Segmentation and Device Configuration

Network and Host-based IDS/IPSDescriptionThese gather and analyse information from the network traffic and host systems to identify possible threats posed from crackers inside and/or outside the network.

MethodologyEmploy IDS to alert suspicious inbound/outbound trafficDetect malicious code changing properties of files such as their sizes.

Endpoint Protection Platforms (EPP) Gartner Rankings